Metadata for managing I/O and storage for a virtualization environment

ABSTRACT

Disclosed is an improved approach for using advanced metadata to implement an architecture for managing I/O operations and storage devices for a virtualization environment. According to some embodiments, a Service VM is employed to control and manage any type of storage device, including directly attached storage in addition to networked and cloud storage. The advanced metadata is used to track data within the storage devices. A lock-free approach is implemented in some embodiments to access and modify the metadata.

CROSS REFERENCE TO RELATED APPLICATION

The present application is a continuation application of U.S. patent application Ser. No. 13/207,357, filed Aug. 10, 2011, now issued as U.S. Pat. No. 8,850,130, which is hereby incorporated by reference in its entirety.

FIELD

This disclosure concerns an architecture for managing I/O and storage devices in a virtualization environment.

BACKGROUND

A “virtual machine” or a “VM” refers to a specific software-based implementation of a machine in a virtualization environment, in which the hardware resources of a real computer (e.g., CPU, memory, etc.) are virtualized or transformed into the underlying support for the fully functional virtual machine that can run its own operating system and applications on the underlying physical resources just like a real computer.

Virtualization works by inserting a thin layer of software directly on the computer hardware or on a host operating system. This layer of software contains a virtual machine monitor or “hypervisor” that allocates hardware resources dynamically and transparently. Multiple operating systems run concurrently on a single physical computer and share hardware resources with each other. By encapsulating an entire machine, including CPU, memory, operating system, and network devices, a virtual machine is completely compatible with most standard operating systems, applications, and device drivers. Most modern implementations allow several operating systems and applications to safely run at the same time on a single computer, with each having access to the resources it needs when it needs them.

Virtualization allows one to run multiple virtual machines on a single physical machine, with each virtual machine sharing the resources of that one physical computer across multiple environments. Different virtual machines can run different operating systems and multiple applications on the same physical computer.

One reason for the broad adoption of virtualization in modern business and computing environments is because of the resource utilization advantages provided by virtual machines. Without virtualization, if a physical machine is limited to a single dedicated operating system, then during periods of inactivity by the dedicated operating system the physical machine is not utilized to perform useful work. This is wasteful and inefficient if there are users on other physical machines which are currently waiting for computing resources. To address this problem, virtualization allows multiple VMs to share the underlying physical resources so that during periods of inactivity by one VM, other VMs can take advantage of the resource availability to process workloads. This can produce great efficiencies for the utilization of physical devices, and can result in reduced redundancies and better resource cost management.

Data Centers are typically architected as diskless computers (“application servers”) talking to a set of networked storage appliances (“storage servers”) via a Fiber Channel or Ethernet network. A storage server exposes volumes that are mounted by the application servers for their storage needs. If the storage server is a block-based server, it exposes a set of volumes that are also called Logical Unit Numbers (LUNs). If, on the other hand, a storage server is file-based, it exposes a set of volumes that are also called file systems. Either way, a volume is the smallest unit of administration for a storage device, e.g., a storage administrator can set policies to backup, snapshot, RAID-protect, or WAN-replicate a volume, but cannot do the same operations on a region of the LUN, or on a specific file in a file system.

Storage devices comprise one type of physical resources that can be managed and utilized in a virtualization environment. For example, VMWare is a company that provides products to implement virtualization, in which networked storage devices are managed by the VMWare virtualization software to provide the underlying storage infrastructure for the VMs in the computing environment. The VMWare approach implements a file system (VMFS) that exposes emulated storage hardware to the VMs. The VMWare approach uses VMDK “files” to represent virtual disks that can be accessed by the VMs in the system. Effectively, a single volume can be accessed and shared among multiple VMs.

While this known approach does allow multiple VMs to perform I/O activities upon shared networked storage, there are also numerous drawbacks and inefficiencies with this approach. For example, because the VMWare approach is reliant upon the VMFS file system, administration of the storage units occurs at a too-broad level of granularity. While the virtualization administrator needs to manage VMs, the storage administrator is forced to manage coarse-grained volumes that are shared by multiple VMs. Configurations such as backup and snapshot frequencies, RAID properties, replication policies, performance and reliability guarantees etc. continue to be at a volume level, and that is problematic. Moreover, this conventional approach does not allow for certain storage-related optimizations to occur in the primary storage path.

Therefore, there is a need for an improved approach to implement I/O and storage device management in a virtualization environment.

SUMMARY

Embodiments of the present invention provide an approach for using advanced metadata to implement an architecture for managing I/O operations and storage devices for a virtualization environment. According to some embodiments, a Service VM is employed to control and manage any type of storage device, including directly attached storage in addition to networked and cloud storage. The Service VM implements the Storage Controller logic in the user space, and with the help of other Service VMs in a cluster, virtualizes all storage hardware as one global resource pool that is high in reliability, availability, and performance. The advanced metadata is used to track data within the storage devices. A lock-free approach is implemented in some embodiments to access and modify the metadata.

Further details of aspects, objects, and advantages of the invention are described below in the detailed description, drawings, and claims. Both the foregoing general description and the following detailed description are exemplary and explanatory, and are not intended to be limiting as to the scope of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings illustrate the design and utility of embodiments of the present invention, in which similar elements are referred to by common reference numerals. In order to better appreciate the advantages and objects of embodiments of the invention, reference should be made to the accompanying drawings. However, the drawings depict only certain embodiments of the invention, and should not be taken as limiting the scope of the invention.

FIG. 1A illustrates an example architecture to implement I/O and storage device management in a virtualization environment according to some embodiments of the invention.

FIG. 1B illustrates a storage hierarchy according to some embodiments of the invention.

FIG. 2 illustrates an approach for implementing deduplication according to some embodiments of the invention.

FIG. 3 illustrates metadata for implementing I/O and storage device management in a virtualization environment according to some embodiments of the invention.

FIG. 4 illustrates block and extent structures according to some embodiments of the invention.

FIG. 5 shows a flowchart of an approach for implementing lock-free metadata access according to some embodiments of the invention.

FIG. 6 shows a flowchart of an approach for implementing top-down metadata access according to some embodiments of the invention.

FIG. 7 shows a flowchart of an approach for implementing bottom-up metadata updates according to some embodiments of the invention.

FIGS. 8-10 show a flowchart of an approach for handling certain race conditions according to some embodiments of the invention.

FIG. 11 shows a flowchart of an approach for handling inconsistent references according to some embodiments of the invention.

FIG. 12 is a block diagram of a computing system suitable for implementing an embodiment of the present invention.

DETAILED DESCRIPTION OF THE EMBODIMENTS OF THE INVENTION

Embodiments of the present invention provide an approach for using advanced metadata to implement an architecture for managing I/O operations and storage devices for a virtualization environment. According to some embodiments, a Service VM is employed to control and manage any type of storage device, including directly attached storage in addition to networked and cloud storage. The Service VM implements the Storage Controller logic in the user space, and with the help of other Service VMs in a cluster, virtualizes all storage hardware as one global resource pool that is highly reliable, available, and in performance. The advanced metadata is used to track data within the storage devices. A lock-free approach is implemented in some embodiments to access and modify the metadata.

FIG. 1A illustrates an architecture for implementing storage management in a virtualization environment according to some embodiments of the invention. The architecture of FIG. 1A can be implemented for a distributed platform that contains multiple servers 100 a and 100 b that manages multiple-tiers of storage. Like the prior art, the multiple tiers of storage includes storage that is accessible through a network 140, such as cloud storage 126 or networked storage 128 (e.g., a SAN or “storage area network”). Unlike the prior art, the present embodiment also permits management of local storage 122/124 that is within or directly attached to the server and/or appliance. Examples of such storage include SSDs 125 (“Solid State Drives”) or HDDs (“hard disk drives”) 127. These collected storage devices, both local and networked, form a storage pool 160. Virtual disks (or “vDisks”) can be structured from the storage devices in the storage pool 160, as described in more detail below. As used herein, the term vDisk refers to the storage abstraction that is exposed by a Service VM to be used by a user VM. In some embodiments, the vDisk is exposed via iSCSI (“internet small computer system interface”) or NFS (“network file system”) and is mounted as a virtual disk on the user VM.

Each server 100 a or 100 b runs virtualization software, such as the ESX product available from VMWare. The virtualization software includes a hypervisor 130/132 to manage the interactions between the underlying hardware and the one or more user VMs 102 a, 102 b, 102 c, and 102 d that run client software.

A special VM 110 a/110 b is used to manage storage and I/O activities according to some embodiment of the invention, which is referred to herein as a “Service VM”. The Service VMs 110 a/110 b are not formed as part of specific implementations of hypervisors 130/132. Instead, the Service VMs run as virtual machines in the hypervisors 130/132 on the various servers 102 a and 102 b, and work together to form a distributed system 110 that manages all the storage resources, including the locally attached storage 122/124, the networked storage 128, and the cloud storage 126. Since the Service VMs run above the hypervisors 130/132, this means that the current approach can be used and implemented within any virtual machine architecture, since the Service VMs of embodiments of the invention can be used in conjunction with any hypervisor from any virtualization vendor.

Each Service VM 110 a-b exports one or more block devices or NFS server targets that appear as disks to the client VMs 102 a-d. These disks are virtual, since they are implemented by the software running inside the Service VMs 110 a-b. Thus, to the user VMs 102 a-d, the Service VMs 110 a-b appear to be exporting a clustered storage appliance that contains some disks. All user data (including the operating system) in the client VMs 102 a-d resides on these virtual disks.

Significant performance advantages can be gained by allowing the virtualization system to access and utilize local (server-internal) storage 122 as disclosed herein. This is because I/O performance is typically much faster when performing access to local storage 122 as compared to performing access to networked storage 128 across a network 140. This faster performance for locally attached storage 122 can be increased even further by using certain types of optimized local storage devices, such as SSDs 125.

Once the virtualization system is capable of managing and accessing locally attached storage, as is the case with the present embodiment, various optimizations can then be implemented to improve system performance even further. For example, the data to be stored in the various storage devices can be analyzed and categorized to determine which specific device should optimally be used to store the items of data. Data that needs to be accessed much faster or more frequently can be identified for storage in the locally attached storage 122. On the other hand, data that does not require fast access or which is accessed infrequently can be stored in the networked storage devices 128 or in cloud storage 126.

Yet another advantage of the present embodiment of the invention is that storage-related optimizations for access and storage of data can be implemented directly within the primary storage path. For example, in some embodiments of the invention, the Service VM 110 a can directly perform data deduplication tasks when storing data within the storage devices. This is far advantageous to prior art approaches that require add-on vendors/products outside of the primary storage path to provide deduplication functionality for a storage system. Other examples of optimizations that can be provided by the Service VMs include quality of service (QoS) functions, encryption, and compression. The new architecture massively parallelizes storage, by placing a storage controller—in the form of a Service VM—at each hypervisor, and thus makes it possible to render enough CPU and memory resources to achieve the aforementioned optimizations.

According to some embodiments, the service VM runs the Linux operating system. The service VM exports virtual disks to the user VMs

For easy management of the appliance, the storage is divided up into abstractions that have a hierarchical relationship to each other. FIG. 1B illustrates the storage hierarchy of the storage objects according to some embodiments of the invention, where all storage in the storage appliance collectively forms a Storage Universe. These storage devices may encompass any suitable devices, such as server-local SSDs or HDDs, network-attached SAN or Cloud storage.

Storage with similar characteristics is classified into tiers. Thus, all SSDs can be classified into a first tier and all HDDs may be classified into another tier etc. In a heterogeneous system with different kinds of HDDs, one may classify the disks into multiple HDD tiers. This action may similarly be taken for SAN and cloud storage.

The storage universe is divided up into storage pools—essentially a collection of specific storage devices. An administrator may be responsible for deciding how to divide up the storage universe into storage pools. For example, an administrator may decide to just make just one storage pool with all the disks in the storage universe in that pool. However, the principal idea behind dividing up the storage universe is to provide mutual exclusion when accessing the disk resources.

This may be one approach that can be taken to implement QoS techniques. For example, one rogue user may result in lots of random JO activity on a hard disk—thus if other users are doing sequential IO, they still might get hurt by the rogue user. Enforcing exclusion through storage pools might be used to provide hard guarantees for premium users. Another reason to use a storage pool might be to reserve some disks for later use.

In some embodiments, the container abstraction specifies a de-duplication domain. That is, all de-duplication is done for data stored within a container. Data in different containers is not de-duplicated even if it is the same. A container is assigned one or more storage pools—this defines the disks where the data for that container will be stored. A container supports several configuration parameters that determine how the data on that container is treated, including for example some or all of the following:

1. Replication factor: Data in a container is replicated based on this replication factor. Replicas are placed on different servers whenever possible.

2. Reed Solomon parameters: While all data is written initially based on the specified replication factor, it may be converted later to use Reed Solomon encoding to further save on storage capacity. The data contraction policy on the vDisks enforces when the data is converted to use Reed Solomon encoding. 3. Encryption type: Data in a container is encrypted based on the specified encryption policy if any. It is noted that there are also other encoding schemes which can be utilized as well. 4. Compression type: Data in a container is compressed based on the given compression type. However, when to compress is a policy that's specified on individual vDisks assigned to a container. That is, compression may be done inline, or it may be done offline. 5. Max capacity: This parameter specifies the max total disk capacity to be used in each tier in the assigned storage pools. 6. Min reserved capacity (specified for each tier): This parameter can also be specified for each tier in the assigned storage pools. It reserves a certain amount of disk space on each tier for this container. This ensures that that disk space would be available for use for this container irrespective of the usage by other containers. 7. Min total reserved capacity: This is the minimum reserved across all tiers. This value should be greater than or equal to the sum of the min reserved capacity per tier values. 8. Max de-duplication extent size: The Rabin fingerprinting algorithm breaks up a contiguous space of data into variable sized extents for the purpose of de-duplication. This parameter determines the max size of such extents. 9. Stripe width: To get high disk bandwidth, it is important to stripe data over several disks. The stripe width dictates the number of extents corresponding to a contiguous vDisk address space that'll be put in a single extent group. 10. Tier ordering: All tiers in the assigned storage pools are ordered relative to each other. Hot data is placed in the tier highest up in the order and migrated to other tiers later based on the ILM (“Information Lifecycle Management” or data waterfalling) policy. A different tier ordering may be specified for random IO as opposed to sequential IO. Thus, one may want to migrate data to the SSD tier only for random IO and not for sequential IO. 11. ILM policy: The ILM policy dictates when data is migrated from one tier to the tier next in the tier ordering. For example, this migration may start when a given tier is more than 90% full or when the data on that tier is more than X days old.

vDisks are the virtual disks that are exported to user VMs by the Service VMs. A vDisk is a software abstraction that manages an address space of S bytes where S is the size of the block device. Each service VM might export multiple vDisks. A user VM might access several vDisks. Typically, all the vDisks exported by a service VM are accessed only by the user VMs running on that server node. A vDisk is assigned a unique container at creation time. The data in the vDisk is thus managed according to the configuration parameters set on the container. Some additional configuration parameters are specified on the vDisk itself, including some or all of the following:

1. De-duplication: This specifies whether de-duplication is to be used for this vDisk. However, when de-duplication is used is determined by the data contraction policy.

2. Data contraction policy: The data contraction policy controls when de-duplication, compression, and Reed-Solomon encoding is applied (if any of them are specified). De-duplication and compression may be applied in-line to a primary storage path or out-of-line. If out-of-line, the data contraction policy specifies the time when deduplication/compression are applied (e.g., X days). Reed-Solomon encoding should be applied offline. The data contraction policy may specify a different time for doing Reed-Solomon than for deduplication/compression. Note that if both deduplication and compression are specified, then data would be de-duplicated and compressed at the same time before writing to disk. 3. Min total reserved capacity: This is the minimum reserved capacity for this vDisk across all the storage tiers. The sum of all minimum total reserved capacity parameters for the vDisks in a container should be less than or equal to the minimum total reserved capacity set on the container. 4. vDisk block size: The vDisk address space is discretized into equal sized blocks. Information about each block is stored, and a the configuration parameter determines the size of this block. It should be less than or equal to the stripe width parameter on the container. A relatively large vDisk block size (e.g., 128 KB) helps reduce the metadata that is maintained. 5. vDisk row blocks: The blocks in a vDisk are conceptually divided into rows. The metadata for each row is kept on one metadata server. This parameter controls how many blocks of this vDisk are in one row. 6. vDisk Capacity: This is the size (in bytes) of the vDisk address space. This effectively controls the size of disk that an external user VM sees. 7. QoS parameters: Each vDisk may specify a priority and a fair share. Competing IO requests from various vDisks shall be scheduled based on this priority and fair share.

As noted above, embodiments of the invention can be used to directly implement de-duplication when implementing I/O in a virtualization environment. De-duplication refers to the process of making sure that a specific data item is not excessively duplicated multiple times within a storage system. Even if there are multiple users or entities that separately perform operations to store the same data item, the de-duplication process will operate to store only a limited number of copies of the data item, but allow those multiple users/entities to jointly access the copies that are actually stored within the storage system.

In some embodiments of the invention, the basic unit of de-duplication is the extent, which is a contiguous portion of storage on a given storage device. Multiple extents can be collected together and stored within an “extent group.” In some embodiments, an extent group corresponds to a single file managed by the underlying filesystem. Thus, the embodiment would utilize a filesystem (e.g., a Linux filesystem) to manage files, where the files correspond to the extent groups to store a set of individual extents. It is noted that while the unit of de-duplication is the extent, the units used for the underlying storage for the extents can be at the granularity of a block. This permits the administration and user access of the data to be a finer level of granularity than the “file” or “extent” level, as described in more detail below.

The left portion of FIG. 2 illustrates two extent groups 250 a and 250 b. Extent group 250 a includes de-duplication with existing de-duplicated extents 202 a and 202 b. Extent group 250 b includes a non-de-duplicated extent 204. As described in more detail below, new extents (such as extent 202 c) can be added to an existing extent group, e.g. the extent group 250 a, if there is sufficient space in the existing extent group.

Assume that a user issues an I/O request to write an item of data 200 to storage. The service VM 240 will perform a process to analyze the data item 200 and assign that data item 200 to an extent for storage. At 220, a determination is made whether de-duplication is desired or enabled. If not, then at 228, a new non-de-duplicated extent 204 is created within an appropriate extent group 250 b to store the data item 200.

If de-duplication is enabled, then a further determination is made at 222 whether the storage system already includes a copy of that data item. According to some embodiments, this is accomplished by performing “Rabin fingerprinting” upon the data that is being stored. Rabin fingerprinting is a known algorithm for objectively dividing data into consistent portions. This algorithm creates uniform and common boundaries for data portions that are partitioned out of larger items of data. The SHA1 algorithm is applied to the data portion created by Rabin fingerprinting to create a unique signature for that data portion. This is a well-known hashing algorithm that takes any set of arbitrary data and creates a 20 byte content-based signature.

The SHA1 algorithm creates a value that is used as an extent identifier (extent ID), which is further used to determine if an earlier copy of the data item 200 has already been stored in the storage system. If a copy already exists, then a new copy of the data item 200 is not stored; instead, the existing copy stored in de-dup extent 202 b is used. A “ref_count” (or reference count) for that extent 202 b would be incremented to provide notice that a new entity is now relying upon this extent 202 b to store the data item 200. However, if a copy of the data item 200 does not yet exist, then a new extent 202 c is created to store the data item 200.

The sizes of the extents and extent groups for the invention can be chosen to suit any desired performance goals. In some embodiments, the extent groups are implemented as 64 Mbyte size files. The non-deduplicated extents are created to have a much larger size than the deduplicated extents. For example, the non-deduplicated extents may be implemented with 1 Mbyte sizes and the deduplicated extents implemented with 8 Kbyte sizes. The goal of this sizing strategy is to make the deduplicated extents as small as practical to facilitate duplications while the non-deduplicated extents are made as large as practical to facilitate efficient physical I/O operations.

Metadata is maintained by the set of Service VMs to track and handle the data and storage objects in the system. Each vDisk corresponds to a virtual address space forming the individual bytes exposed as a disk to user VMs. Thus, if the vDisk is of size 1 TB, the corresponding address space maintained by the invention is 1 TB. This address space is broken up into equal sized units called vDisk blocks. The Metadata is used to track and maintain the contents of the vDisks and vDisk blocks.

As illustrated in FIG. 3, embodiments of the invention maintain three mapping structures as the metadata 300 to track the stored data. A first metadata structure (vDisk map 302) is used to map the vDisk address space for the stored extents. Given a specified vDisk and offset, the vDisk map 302 can be used to identify a corresponding extent ID. A second metadata structure (extent ID map 304) is used to map extent IDs. Given a specified extent ID, the extent ID map 304 can be used to identify a corresponding extent group. A third metadata structure (extent group ID map 306) is used to map specific storage information for extent group IDs. Given a specified extent group ID, the extent group ID map 306 can be used to identify corresponding information, such as for example, (1) disk identifier for the extent group, (2) list of extent IDs in that extent group, (3) information about the extents such as ref_counts, checksums, and offset locations.

The vDisk map expects the I/O request to identify a specific vDisk and an offset within that vDisk. In the present embodiment, the unit of storage is the block, whereas the unit of deduplication is the extent. Therefore, the vDisk map is basically assuming the unit of storage specified by the offset information is to a block, and then identifying the corresponding extent ID from that block, where the extent offset can be derived for within the block.

FIG. 4 illustrates the address space of a typical vDisk according to some embodiments. The boxes 402 with dotted boundaries indicate the vDisk blocks which are all of equal size (e.g., 8 KB in this example). The solid boxes 404 indicate the actual extents. As noted above, extents are of two types—ones that are used during de-duplication and ones that are not. The ones that are not used during de-duplication have the same size as that of a vDisk block—the corresponding vDisk block contains exactly one of these extents (extents 404 a and 404 b in the figure). However, when an extent is used for deduplication, such an extent might be of a variable size. Such extents are shown as extents 406 a-c in the figure. Since these extents may not align with vDisk block boundaries, it is possible that such a vDisk block may contain more than one such extent.

The non-deduplicated extents 404 a-b are owned by the vDisk and can typically be updated in place. They become copy-on-write only when snapshots are taken. The de-duplicated extents 406 a-c are never updated in place.

The discretization into vDisk blocks helps store this information in a table in the vDisk map. Thus, given any random offset within the vDisk, one can discretize it obtain the corresponding vDisk block boundary. A lookup can be performed in the vDisk map for that (vDisk, vDisk block) combination. The information in each vDisk block is stored as a separate column in the table. A collection of vDisk blocks might be chosen to be stored in a single row—this guarantees atomic updates to that portion of the table. A table can be maintained for the address space of each vDisk. Each row of this table contains the metadata for a number of vDisk blocks (e.g., in the figure, each row contains information about 6 vDisk blocks). Each column corresponds to one vDisk block. The contents of the column contain a number of extentIDs and the offset at which they start in the vDisk block.

As noted above, a collection of extents is put together into an extent group, which is stored as a file on the physical disks. Within the extent group, the data of each of the extents is placed contiguously along with the data's checksums (e.g., for integrity checks). Each extent group is assigned a unique ID (e.g., 8 byte ID) that is unique to a container. This id is referred to as the extent group ID.

The extent ID map essentially maps an extent to the extent group that it is contained in. The extent ID map forms a separate table within the metadata—one for each container. The name of the table contains the id of the container itself. The lookup key of this table is the canonical representation of an extent ID. In some embodiments, this is either a 16 byte combination containing (vDiskID, Offset) for non-deduplicated extents, or a 24 byte representation containing (extent size, SHA1 hash) for deduplicated extents. The corresponding row in the table just contains one column—this column contains the extent Group ID where the corresponding extent is contained.

When updates are made to a vDisk address space, the existing extent is replaced by another (in case of de-duplication). Thus the old extent may get orphaned (when it is no longer referred to by any other vDisk in that container). Such extents will ultimately be garbage collected. However, one possible approach is to aggressively reclaim disk space that frees up. Thus, a “ref_count” value can be associated with each extent. When this ref_count drops to 0, then it can be certain that there are no other vDisks that refer this extent and therefore this extent can immediately be deleted. The ref_count on a deduplicated extent may be greater than one when multiple vDisks refer to it. In addition, this may also occur when the same extent is referred to by different parts of the address space of the same vDisk. The ref_count on a non-deduplicated extent may be greater than one when multiple snapshots of a vDisk refer to that extent. One possible approach for implementing snapshots in conjunction with the present invention is described in U.S. Pat. No. 9,009,106, filed on Aug. 10, 2011, which is incorporated by reference in its entirety. The ref_count on an extent is stored inside the metadata for the extent group in the extent Group ID map rather than in the extent ID map. This allows batch updates to be made to several extents and to allow updates to a single extent Group ID metadata entry.

To reduce the number of metadata lookups, an optimization can be made for the case of non-deduplicated extents that have a ref_count of one and are owned solely by the vDisk in question. In such a case, the extent ID map does not have an entry for such extents. Instead, the extent Group ID that they belong to is put in the vDisk address space map itself in the same entry where information about the corresponding vDisk block is put.

The extent Group ID map provides a mapping from an extent Group ID to the location of the replicas of that extent Group ID and also their current state. This map is maintained as a separate table per container, and is looked up with the extent Group ID as the key. The corresponding row in the table contains as many columns as the number of replicas. Each column is referenced by the unique global disk ID corresponding to the disk where that replica is placed. In some embodiments, disk IDs in the server/appliance are assigned once when the disks are prepared. After that, the disk ids are never changed. New or re-formatted disks are always given a new disk ID. The mapping from disk IDs to the servers where they reside is maintained in memory and is periodically refreshed.

An extra column can also be provided for the vDisk ID that created this extent group. This is used to enforce the property that only one vDisk ever writes to an extent group. Thus, there is never a race where multiple vDisks are trying to update the same extent group.

In some embodiments, for each replica, some or all of the following information is maintained:

a. The diskID where the replica resides.

b. A Version number.

c. A Latest Intent Sequence number. This is used for maintaining metadata consistency and is explained later in the subsequent sections.

d. The extent ids of each of the extents contained in the extent group. This is either the 8 byte offset for non-dedup extents, or 24 bytes

(size, SHA1) for dedup extents. For each extent, the offset in the extentGroupID file is also contained here. Additionally a 4 byte refcount is also stored for each extent. Finally, an overall checksum is stored for each extent. This checksum is written after a write finishes and is primarily used by a disk scrubber to verify the integrity of the extent group data. e. Information about all the tentative updates outstanding on the replica. Each tentative update carries an Intent Sequence number. It also carries the tentative version that the replica will move to if the update succeeds.

If multiple replicas share the same information, then that information will not be duplicated across the replicas. This cuts down unnecessary metadata bloat in the common case when all the replicas are the same.

At any time, multiple components in the appliance may be accessing and modifying the same metadata. Moreover, multiple related pieces of the metadata might need to be modified together. While these needs can be addressed by using a centralized lock manager and transactions, there are significant performance reasons not to use these lock-based approaches. One reason is because this type of central locking negatively affects performance since all access to metadata would need to go through the centralized lock manager. In addition, the lock manager itself would need to be made fault tolerant, which significantly complicates the design and also hurts performance. Moreover, when a component that holds a lock dies, recovering that lock becomes non-trivial. One may use a timeout, but this may result in unnecessary delays and also timing related races.

Therefore, embodiments of the present invention provide an approach that utilizes lock-free synchronization, coupled with careful sequencing of operations to maintain the consistency of the metadata. The main idea is that the order in which the metadata of FIG. 3 is accessed will differ between operations that do not change the metadata (e.g., read operations) and operations that will result in a change to the metadata (e.g., write operations).

The high level flowchart of this approach is shown in FIG. 5, in which the I/O request is received at 502. A determination is made at 504 whether the I/O request involves some sort of change or update to the metadata. With regard to the three metadata maps 302, 304, and 306 shown in FIG. 3, read operations should always proceed in a top-down direction starting with vDisk map 302, then extent ID map 304, followed by extent group ID map 306. In contrast, write operations will proceed in the bottom-up direction starting with the extent group ID map 306, followed by the extent ID map 304, and then subsequently followed by the vDisk map 302.

The reason this works is because any dangling or inconsistent references caused by a failure of the write operations in the bottom-up direction should not result in any detectable inconsistencies for the read operations that work in the top-down direction. This is because each layer of the metadata builds upon each other so that in the top-down direction, an extent ID identified from the vDisk map 302 should have a corresponding entry in the next level extent ID map 304, which in turn is used to identify an extent group ID which itself should have a corresponding entry in the extent group ID map 306.

To explain, consider first the opposite situation in which an update/write operation to the metadata is made in same direction as the read operations (i.e., in the top-down direction). Assume that the write operation successively creates an extent ID entry in the vDisk map 302, but dies before it is able to complete the operation and therefore never has the opportunity to create an entry in the extent ID map 304 that maps the extent ID to an extent group ID. In this situation, a subsequent read operation may possibly read that extent ID from the vDisk map 302, but will encounter a dangling/inconsistent reference because that extent ID does not map to anything in the extent ID map 304.

Now, consider if the update/write operation to the metadata is made in the bottom-up direction. Assume that the write operation successively creates a mapping between the extent ID and an extent group ID in the extent ID map 304. Further assume that the operation dies before it is able to finish, and therefore never has the opportunity to create an entry in the vDisk map 302 for the extent ID. This situation also creates a dangling reference in the extent ID map 304. However, unlike the previous scenario, a subsequent read operation will never reach the dangling reference in the extent ID map 304 because it has to first access the vDisk map 302, and since the previous operation did not reach this map, there is no reference to the new extent ID in the vDisk map 302. Therefore, the subsequent read should not be able to find a path to reach the dangling reference in the extent ID map.

In this way, the present approach inherently maintains the integrity of the metadata without needing to provide any central locking schemes for that metadata. Crashes may result in some excess data, but that excess data should not result in fatal inconsistencies, and can be efficiently cleaned up by a garbage collection process at a later time.

FIG. 6 illustrates a more detailed flowchart of an approach to implement top-down access to the metadata, where the access does not require a change or update to the metadata. At 602, an I/O request is received that specifies the vDisk and offset at which the access will occur. The I/O request will also identify the number of bytes that need to be accessed (e.g., read) from that vDisk and offset.

At 604, the vDisk map is accessed to identify the extent ID that corresponds to the specified vDisk and offset. With that extent ID, the extent ID map is accessed at 606 to further identify the corresponding extent group ID.

At 608, the extent group ID is used to query the extent group ID map, to gather storage information for the specified extern group ID. This provides, for example, the disk ID(s) at which the extent ID is located. Assuming that there are multiple storage locations, then the most efficient location may be identified for the data access. For example, if one of the available locations is for a locally attached storage device, then that device would be the preferred device for the data access. At 610, the data would be read from the identified extent. At 612, the checksum value for the data (stored in the extent group ID map) is checked to ensure that the data has not been corrupted.

FIG. 7 illustrates a more detailed flowchart of an approach to implement bottom-up access to the metadata for I/O request that will involve a change or update to the metadata. At 702, an I/O request is received that specifies the vDisk and offset at which the access will occur. The I/O request will also identify the number of bytes that need to be written to that vDisk and offset.

A determination is made at 704 whether or not de-duplication has been enabled. If not, then at 708, a new extent is created to store the non-deduplicated data. If deduplication is turned on, then at 706 a further determination is made as to whether the extent already exists. This is verified by checking whether the SHA1 value corresponds to an extent ID that already exists in the storage system. If the extent does not already exist, then at 708 a new extent is created to store the deduplicated data.

At 710, the extent group ID map is modified. If the extent is newly created, then the entry is updated to reflect the new extent. If the extent already exists, then the entry is modified by incrementing the ref_count. Additional information may also be included or modified in the extent group ID map. For example, the checksum may also be added to the metadata at this time. While the present illustrative discussion centers on write operations, it is noted that a similar set of changes will occur for delete operations, e.g., by decrementing the ref_count value.

After the extent group ID map has been completely updated, then at 712, modification occurs to the extent ID map if necessary. The extent ID map may need to be updated if the extent has been newly created, so that a mapping exists in the extent ID map between the new extent ID and the extent group ID.

After the extent ID map has been completely updated, then at 714, modification occurs to the vDisk map if necessary. The vDisk map is updated so that a mapping exists in the vDisk map between the new extent ID and the vDisk and block locations.

There are certain race scenarios that may occur which should be addressed. For example, consider if there is a race to access the same metadata between a read operation and a write operation. It is possible that the write operation may cause inconsistencies to occur that are detected by the read operation.

FIG. 8 is a flowchart of an approach to handle such race conditions according to some embodiments of the invention. At 802, the read operation will proceed in the top-down direction as described above. A determination is made at 804 whether there is an inconsistency within metadata, e.g., because of the race between the read operation and another write operation.

Assume that such a race situation did in fact occur, and the read operation has now encountered a dangling reference or some other type of inconsistency. To address this, at 806, the operation goes back upwards to re-start the access to the metadata. The hope is that the restart will give the other operation the opportunity to finish, so that any intermediate inconsistencies caused by the other operation will get resolved before it is once again encountered by the current operation. Therefore, the next time through the metadata access in the top-down direction, another check is made at 808 to see if the inconsistency has been resolved (or if it still exists). If the inconsistency has been resolved, then at 812, the metadata access will proceed normally. Otherwise, at 810, error handling will need to occur to address the problem.

Another possible race situation may occur is that two competing operations may seek to both update the same item of metadata at the same time. To address this situation, a “compare and swap” (CAS) operation is implemented for the updates to the metadata. The CAS operation is performed by making sure the metadata at the beginning of the operations remains unchanged all the way through the completion of the operations. If the metadata changes somewhere in the middle of the operation, then this is an indication that another competing operation is simultaneously changing the metadata.

FIG. 9 shows a flowchart of an approach to handle this type of race situation. At 902, instructions are received to perform an update operation to the metadata. At 904, validating information is obtained for the metadata. Such validating information may include, for example, a timestamp for the metadata or a checksum for the metadata.

At a later point in time just prior to completing the operation against the metadata, the saved validating information for the metadata is checked again to make sure it has not changed (906). If the is no inconsistency, then this means that a race condition does not exist or that the current operation has won the race. As a result, the current operation is permitted to complete the update to the metadata at 912.

On the other hand, if there is an inconsistency, then this means that another operation has modified the metadata in the interim. Therefore, at 910, the operation will restart, with the hope that the restart will allow the operation to proceed without losing another race.

According to some embodiments, the CAS operation will provide the property of being a time bounded operation, in which read/write operations will not take more than a certain time period to finish (e.g., seven seconds). A read/write operation would either succeed or fail in less than the specified time period T seconds after it started. If the backend is unable to complete a write operation in T seconds, it will report the operation as a failure, but the write may still succeed afterwards. A subsequent read operation after a failed write operation though, would provide the latest value for the key which would remain consistent with subsequent reads. In addition, the CAS operation will provide “read after write consistency”, in which once a write succeeds, all subsequent reads return the value that was written, until the next write happens. If a read is racing with a write (write has not finished and the read was received within the designated number of seconds of the write operation) then the backend store may return either the old value or the new value being written. “Atomic” CAS is implemented, such that provided key k, current value v and a new value v′, backend store would be able to atomically overwrite the current value v with new value v′. If the current value of key k is not same as v then the atomic CAS operation would fail. Repeatable reads consistency is also provided, such that two read requests for a key k would return the same value v provided there was no write received between the two reads or within T seconds of the time when the reads started. If read r1 started at time t1 and read r2 started at time t2 with t1<t2, then if there was no write received between time [t1−T, t2+T], reads r1 and r2 would both return the same value v.

According to some embodiments, the CAS functionality is provided by taking advantage of a consensus algorithm, e.g., as described in “Paxos Made Simple”, ACM SIGACT News (November 2001). Each column value (cell value) would be chosen by running a Paxos instance among the replica nodes for the cell. Each time a cell value is to be changed, a new Paxos instance for the cell would be executed. During a Paxos instance, once a value is accepted at a replica node, it displaces any older value the node may have accepted earlier (from any previous or current Paxos instance). The current accepted value becomes the latest value stored at the replica node. Thus, at a time, a replica node stores only a single (latest) value for a cell. On a read, a replica node replies with its latest local value. One advantage provided by embodiments of the invention over the base Paxos approach is that the present embodiment can detect and address CAS situations involving multiple operations, e.g., multiple write operations. In this situation, some embodiments operate by ensuring that multiple operations go together, so that failure of one of the multiple operations will result in all of those multiple operations to restart.

For each cell value stored at a replica node, the approach stores the Paxos instance number in which the value was accepted at the node along with value's Paxos proposal number. Also a boolean value is stored that indicates whether the replica node has made any promise for a proposal number for the next Paxos instance. Also stored is an “epoch” associated with the current accepted value at the replica node. The epoch is used to identify a sequence of writes for a cell starting from the first write (for instance 1) until the last write for the cell (the last write being deletion for the cell). Once a cell is deleted the epoch associated with the cell is also destroyed. The next write for the cell (for instance 0) will have a different bigger epoch value and every write for the cell then would contain the same epoch value until the cell gets deleted again. At any single point of time, all the replica nodes for a cell will have the same epoch value for the cell. Reads are initiated through “leader” node. Leader is an alive replica node whose id is lexicographically the first amongst all the alive replica nodes for the key. Writes would also proceed through the “leader” node.

Deleting a cell involves getting the deletion record chosen for the latest instance. Once a deletion record for a value is chosen, one would like to clear all state for the cell from all the replica nodes. This is a notable situation since forgetting all state about a cell can lead to a circumstance where an older write (for an instance before the deletion record got chosen) for the cell can get accepted. Once a deletion for a cell has occurred, the next write that should succeed should be for instance “0” and not for any other instance. Also, older writes generated by a client for a CAS on a value (Paxos instance) from before the deletion happened has to be rejected by the system.

For example: assume that there are two clients in the system: “c1” and “c2”. Further assume that c1 wrote a cell with instance 0 and then c2 obtains a deletion record for the cell chosen at instance 1. Afterwards c2 wrote a new value for the cell for instance 0. Assuming that c1 does not know about the writes “c2” did and c1 without performing a read for the cell generates a new write for instance 1. Now c1 when generating the write for instance 1 thinks it is performing CAS for the older instance 0 value for the cell. In between c2 already deleted and got a newer value chosen for the cell but the instance of the newer value still remains as 0. If Paxos is run for the c1 generated write for instance 1, the write will succeed and c1's proposed value will win. This is clearly an inconsistent CAS write and such a case needs to be avoided. Another case in which an older write can win is when the deletion for the cell didn't occur on all replica nodes. Assume that there are three replica nodes “r1”, r2 and r3. At the time of deletion r3 was down but since a quorum was up, the deletion record got chosen for instance i. Now r3 still has record for instance i−1. If r1 and r2 delete all state about the cell once the deletion record got chosen, then when r3 comes back up it can assert (propose) its value at instance i−1 being the current value for the cell. Nodes r1 and r2 can not stop r3 from asserting (proposing) the value at i−1 if they don't have any state for the cell.

In some embodiments, there are certain properties that are desired for the system to satisfy post deletion for a record, including for example: (1) if deletion occurs for instance i all CAS writes for older values in instances 1 to i−1 must not succeed on the system; and (2) any older write(s) that were accepted at any replica from before the deletion happened can not be asserted (proposed) by the replica after the deletion has happened.

In some embodiments, a unique id (“epoch”) is used to identify a sequence of writes for a value. During a lifetime for a cell, from its first write till its last write (deletion for the cell) the epoch for the cell remains the same. The CAS writes for the cell thus happens on the “<epoch, instance>” tuple and not just on instance. When a leader runs Paxos write for deletion of a cell, it tries to get the special deletion value chosen for the cell for latest instance.

While running Paxos for the delete, there are several possibilities that may occur. On possibility is that the Paxos run for the deletion fails. In this case, nothing should be done, and a failure is returned for the deletion to the client. Another possibility is that the Paxos run for the deletion is successful and the special deletion value is chosen for instance i. If all the replica nodes accepted the delete value then leader runs a 2 phase commit. It will send a message to all replica nodes to get ready to delete the cell value forever, and this also indicates to all replica nodes that the delete value got chosen. Once all replica nodes acknowledge this message, leader sends the final “delete forever” message to all the replica nodes. Alternatively, if some replica nodes did not accept the delete value during the Paxos run (e.g., some nodes may be down) then a tombstone for the delete is kept. The leader sends the tombstone chosen value to all the replica nodes. This signifies that the delete was successful (chosen) but it can't be removed from the disk because an older write for the cell may still be lingering on in some replica node(s). Once a replica node receives information about the fact that a delete was chosen (either tombstoned, or to be deleted forever) then it can successfully prepare/accept messages for a new epoch for instance 0. Otherwise if the node does have the “delete” value accepted but doesn't know about whether the delete was chosen then it can't accept a write for a newer epoch.

There are generally some scenarios in which race situations are expected to occur, and therefore can be directly addressed without the need to perform “restarts” of operations as described above. For example, consider the situation in which a user wishes to write a large volume of data, and the data is likely to be sequentially written to the same extent group. In this situation, it is highly predictable that multiple operations will seek to update portions of the same set of metadata. Since this situation can be predicted, there are more efficient ways to handle the potential conflicts without resorting to the standard approach of waiting for the conflicts to be detected, and then having the operations restart upon detecting the conflict.

The more efficient approach is to recognize these situations upfront, and to “cheat” by allowing the operations to become aware of the intent of the other operations. In this way, the operations do not get blocked by the other operation. Importantly, the operations will not need to restart even upon a change to the metadata timestamp or checksum, since the intent of the other operation is known and can be accounted for.

One way to implement this approach is to create an intent log to be written somewhere before a change to the metadata is done. The intent log can be created in a way that it is accessible by the other operations, e.g., within a set of common state if both operations are running within the same service VM. The tentative updates by the operations to the extents are posted to the intent log.

FIG. 10 shows a flowchart of an approach for implementing this optimization according to some embodiments of the invention. At 1002, a determination is made that the situation is one in which there is recognition of the expected race condition. At 1004, the intent log is checked for the intent of the other operations. In addition, at 1006, the current operation will also write its intent information into the intent log.

Thereafter, at 1008, the current operation can proceed with its update to the metadata, with knowledge of the intent of the other operations. Even if the metadata changes in the interim, this will not affect the ability of the current operation to proceed, subject to those changes corresponding to the intentions of the other operations as posted within the intent log. After the operations have completed, the intent information can be removed from the intent log at 1010. The checksum information can also be updated at this time.

If a component were to crash midway in a transaction, the recovery process could re-apply the intent recorded in the intent log. FIG. 11 shows a flowchart of an approach for using the tentative update information in the intent log to check for and address crashes. At 1102, an identification is made of dangling intent information in the intent log. At 1104, a check is made of the status of the status of the operation that corresponds to the tentative update in the intent log. This check is made by sending an inquiry to the extent store.

If the conclusion is reached at 1106 that the operation corresponding to the tentative update has completed, then clean-up can occur at 1108 to remove the dangling intent information. Even if the other operation has not completed the update, it could be the situation that the update is completeable. If so, then part of the clean-up activities at 1108 is to also complete the operation.

However, it is possible that the crash is not recoverable. In this situation, at 1110, recovery will occur to roll back the effects of the crashed operation. Part if the clean up activities at 1110 is to clean up the intent log to remove the references to the tentative updates.

Therefore, what has been described is an improved approach for implementing metadata to perform I/O management for storage devices in a virtualization architecture.

System Architecture

FIG. 12 is a block diagram of an illustrative computing system 1400 suitable for implementing an embodiment of the present invention. Computer system 1400 includes a bus 1406 or other communication mechanism for communicating information, which interconnects subsystems and devices, such as processor 1407, system memory 1408 (e.g., RAM), static storage device 1409 (e.g., ROM), disk drive 1410 (e.g., magnetic or optical), communication interface 1414 (e.g., modem or Ethernet card), display 1411 (e.g., CRT or LCD), input device 1412 (e.g., keyboard), and cursor control.

According to one embodiment of the invention, computer system 1400 performs specific operations by processor 1407 executing one or more sequences of one or more instructions contained in system memory 1408. Such instructions may be read into system memory 1408 from another computer readable/usable medium, such as static storage device 1409 or disk drive 1410. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement the invention. Thus, embodiments of the invention are not limited to any specific combination of hardware circuitry and/or software. In one embodiment, the term “logic” shall mean any combination of software or hardware that is used to implement all or part of the invention.

The term “computer readable medium” or “computer usable medium” as used herein refers to any medium that participates in providing instructions to processor 1407 for execution. Such a medium may take many forms, including but not limited to, non-volatile media and volatile media. Non-volatile media includes, for example, optical or magnetic disks, such as disk drive 1410. Volatile media includes dynamic memory, such as system memory 1408.

Common forms of computer readable media includes, for example, floppy disk, flexible disk, hard disk, magnetic tape, any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, PROM, EPROM, FLASH-EPROM, any other memory chip or cartridge, or any other medium from which a computer can read.

In an embodiment of the invention, execution of the sequences of instructions to practice the invention is performed by a single computer system 1400. According to other embodiments of the invention, two or more computer systems 1400 coupled by communication link 1415 (e.g., LAN, PTSN, or wireless network) may perform the sequence of instructions required to practice the invention in coordination with one another.

Computer system 1400 may transmit and receive messages, data, and instructions, including program, i.e., application code, through communication link 1415 and communication interface 1414. Received program code may be executed by processor 1407 as it is received, and/or stored in disk drive 1410, or other non-volatile storage for later execution.

In the foregoing specification, the invention has been described with reference to specific embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention. For example, the above-described process flows are described with reference to a particular ordering of process actions. However, the ordering of many of the described process actions may be changed without affecting the scope or operation of the invention. The specification and drawings are, accordingly, to be regarded in an illustrative rather than restrictive sense. 

What is claimed is:
 1. A method for performing lock free processing of metadata for storage devices in a virtualization system, comprising: identifying a metadata structure hierarchy with a plurality of levels including at least a first level corresponding to a virtual storage unit and a mapping between portions of the virtual storage unit to contiguous physical storage, and a second level corresponding to information describing the physical storage; reading from the metadata structure in a first order from the first level to the second level without locking; and writing to the metadata structure in a second order from the second level to the first level without locking, wherein the second order is opposite of the first order.
 2. The method of claim 1, in which the virtual storage unit comprises a virtual disk, the physical storage comprises an extent, and the mapping comprises a mapping between one or more extents and a virtual disk address space.
 3. The method of claim 2, in which the mapping can be used to identify an extent identifier using a virtual disk identifier and an offset within the virtual disk.
 4. The method of claim 2, in which one or more extents corresponds to a file having multiple extents.
 5. The method of claim 1, in which the mapping comprises information pertaining to replica information and extent information.
 6. The method of claim 5, in which the extent information comprises a reference count, a checksum, or an offset location.
 7. The method of claim 1, in which an extent is de-duplicated, and the metadata comprises an indication of de-duplication for the extent.
 8. The method of claim 7, in which an update to a virtual disk address space causes replacement of an existing extent with a replacement extent.
 9. The method of claim 7, in which de-duplicated extents have the same extent identifier.
 10. The method of claim 1, in which a reference count is maintained to indicate a number of references for an extent.
 11. The method of claim 1, in which garbage collection is implemented by removing extraneous or dangling items in the metadata.
 12. The method of claim 1, in which a race condition is identified, and accessing of the metadata is restarted.
 13. The method of claim 12, in which the race condition is identified because of an inconsistency in the metadata.
 14. The method of claim 13, in which a check is made whether the inconsistency is resolved after the restart, wherein an error condition is identified if the inconsistency is not resolved.
 15. The method of claim 1, in which an update operation to an item of metadata is performed such that the item is confirmed not to have been changed by another entity from start of the update operation to conclusion of the update operation.
 16. The method of claim 15, in which a compare and swap procedure is performed to perform the update operation.
 17. The method of claim 1, in which an intent to update an item of metadata is recorded, where the intent can be accessed by other operations.
 18. A storage system comprising storage devices in a virtualization system, comprising: a processor to handle computing instructions to access the storage devices; and computer readable medium comprising metadata for the virtualization system, wherein the metadata comprises a metadata structure hierarchy with a plurality of levels including at least a first level corresponding to a virtual storage unit and a mapping between portions of the virtual storage unit to contiguous physical storage, and a second level corresponding to information describing the physical storage, in which lock-free access of the metadata is implemented by the processor reading from the metadata structure in a first order from the first level to the second level without locking and writing to the metadata structure in a second order from the second level to the first level without locking, wherein the second order is opposite of the first order.
 19. The system of claim 18, in which the virtual storage unit comprises a virtual disk, the physical storage comprises an extent, and the mapping comprises a mapping between one or more extents and a virtual disk address space.
 20. The system of claim 19, in which the mapping can be used to identify an extent identifier using a virtual disk identifier and an offset within the virtual disk.
 21. The system of claim 18, in which one or more extents corresponds to a file having multiple extents.
 22. The system of claim 18, in which the mapping comprises information pertaining to replica information and extent information.
 23. The system of claim 22, in which the extent information comprises a reference count, a checksum, or an offset location.
 24. The system of claim 18, in which an extent is de-duplicated, and the metadata comprises an indication of de-duplication for the extent.
 25. The system of claim 24, in which an update to a virtual disk address space causes replacement of an existing extent with a replacement extent.
 26. The system of claim 24, in which de-duplicated extents have the same extent identifier.
 27. The system of claim 18, in which a reference count is maintained to indicate a number of references for an extent.
 28. A computer program product embodied on a non-transitory computer usable medium, the computer readable medium having stored thereon a sequence of instructions which, when executed by a processor causes the processor to execute a method for performing lock free processing of metadata for storage devices in a virtualization system, the method comprising: identifying a metadata structure hierarchy with a plurality of levels including at least a first level corresponding to a virtual storage unit and a mapping between portions of the virtual storage unit to contiguous physical storage, and a second level corresponding to information describing the physical storage; reading from the metadata structure in a first order from the first level to the second level without locking; and writing to the metadata structure in a second order from the second level to the first level without locking, wherein the second order is opposite of the first order.
 29. The computer program product of claim 28, in which the virtual storage unit comprises a virtual disk, the physical storage comprises an extent, and the mapping comprises a mapping between one or more extents and a virtual disk address space.
 30. The computer program product of claim 29, in which the mapping can be used to identify an extent identifier using a virtual disk identifier and an offset within the virtual disk.
 31. The computer program product of claim 29, in which one or more extents corresponds to a file having multiple extents.
 32. The computer program product of claim 28, in which the mapping comprises information pertaining to replica information and extent information.
 33. The computer program product of claim 32, in which the extent information comprises a reference count, a checksum, or an offset location.
 34. The computer program product of claim 28, in which an extent is de-duplicated, and the metadata comprises an indication of de-duplication for the extent.
 35. The computer program product of claim 34, in which an update to a virtual disk address space causes replacement of an existing extent with a replacement extent.
 36. The computer program product of claim 34, in which de-duplicated extents have the same extent identifier.
 37. The computer program product of claim 28, in which a reference count is maintained to indicate a number of references for an extent.
 38. The computer program product of claim 28, in which garbage collection is implemented by removing extraneous or dangling items in the metadata.
 39. The computer program product of claim 28, in which a race condition is identified, and accessing of the metadata is restarted.
 40. The computer program product of claim 39, in which the race condition is identified because of an inconsistency in the metadata.
 41. The computer program product of claim 40, in which a check is made whether the inconsistency is resolved after the restart, wherein an error condition is identified if the inconsistency is not resolved.
 42. The computer program product of claim 28, in which an update operation to an item of metadata is performed such that the item is confirmed not to have been changed by another entity from start of the update operation to conclusion of the update operation.
 43. The computer program product of claim 42, in which a compare and swap procedure is performed to perform the update operation.
 44. The computer program product of claim 28, in which an intent to update an item of metadata is recorded, where the intent can be accessed by other operations. 